Fraud and corruption are key risks to both individual and organisational integrity.
However, integrity extends beyond fraud and corruption to areas such as workplace behaviour (for example, bullying and harassment), compliance and information security, amongst others. Whilst it is common practice for organisations to assign a single fraud risk owner, addressing broader integrity-related risks requires a coordinated, systematic approach encompassing several business areas and functions.
Guidance for such an approach is found in the Australian Standard for Fraud and Corruption Control ('AS 8001' or 'the Standard'). Structured across four pillars - foundations (governance), prevention, detection, and response - the Standard provides an impressive source of better practice guidance for the management of fraud and corruption risks.
The most recent revision of the Standard, issued in June 2021, includes a much stronger emphasis on both a proactive and holistic approach. It is a timely reminder for organisations to recognise connections between fraud, corruption, cybersecurity and information security risks, and recommends managing these as part of a broader integrity framework. Associated standards for risk management (AS ISO 31000), anti-bribery (AS ISO 37001) and information security (AS ISO 27001 suite) further assist organisations to design and implement more robust risk control programs.
In designing the most effective fraud and corruption control system, as the Standard refers to it, organisations should consider which aspects of AS 8001 are relevant to their business and how they should be applied. In our experience reviewing such systems, however, we have observed some common blind spots among organisations which leave them vulnerable to integrity breaches.
Coordination of resources (Foundations)
The controls in place to address one type of fraud risk often vary widely from the controls required for another. For example, segregation of duties within invoice processing does little to address the risk of false credentials by applicants in the recruitment process. Far too often, we see organisations taking a siloed approach to integrity management, with fraud risks relevant to different business areas and processes managed in isolation. Worse still, cybersecurity and information security risks are often considered entirely separately from fraud and corruption risks.
AS 8001 references the need for the development, implementation and maintenance of a fraud and corruption control system - a system founded on a coordinated approach to addressing integrity matters. To help identify trends, hotspots and emerging risks, there is a need for collaboration and cross-consideration of fraud, corruption, integrity, cyber and information security, and other organisational risks.
Multi-faceted fraud risk assessments and control testing (Foundations & Prevention)
Fraud and corruption risks are often grouped together when assessing risk at an enterprise level. In many cases though, we see that specific, unique and disparate process-level fraud risks are not recorded, tracked, assessed, nor managed through a robust risk management function. Further, the assessment of controls, if practised at all, is done on an attestation basis and not through a system of control effectiveness testing. There is also a human element involved, with risk factors arising from individuals' unique personal circumstances and requiring key enterprise-wide controls, such as training, culture and people management.
AS 8001 recommends addressing fraud risk across all levels - enterprise, operational and tactical. This requires a system of people working together but should also include periodic assessment of process-level fraud risks across an organisation's various functions, as well as assessment and testing of control effectiveness.
Fraud detection program (Detection)
When referencing fraud analytics, many clients think of advanced data analysis and dashboards. Many organisations may lack the expertise or resources to confidently or effectively attempt this level of analytics within their fraud detection program. As a result, we often see organisations that have neglected analytics entirely, rather than tailoring this to their capabilities or engaging external assistance.
The Standard recommends tailoring detection controls to align with an organisation's unique process-level fraud risks. While the level of detection controls should always reflect the level of risk, the journey towards proactive detection can start with something as ordinary as simple spreadsheet analysis. Implementing foundational detection controls is the first key step for organisations to implement an effective fraud detection program. Organisations can then further refine their detection systems through lessons learnt and enhanced knowledge of trends, hotspots and emerging risks.
Programmed response (Response)
Responding to an alleged or confirmed incidence of fraud or corruption can be a stressful time for organisations, drawing resources and management attention away from standard operations. The correct response to an incident is imperative to improve the chances of loss recovery, avoid other negative consequences (such as unfair dismissals, an unsettled workforce or ineffective investigation) and ensure issues (for example, control gaps) are remediated.
AS 8001 recommends having well-defined and documented fraud matrix that details escalation lines, decision workflows and procedures to provide guidance on how to respond and the appropriate roles and responsibilities when things do go wrong. This programmed response should also proactively seek to ensure the processes addressing the detection of integrity breaches and the collection of evidence are conducted in a legally defensible manner.
A multi-faceted, holistic approach
Fraud and corruption are key integrity-related risks, requiring organisations to adopt a coordinated, systematic approach. While important to identify which aspects of the AS 8001 apply to an individual organisation, it is critical for collaboration and consideration across all business functions to effectively address these risks. Best practice commands a multi-faceted, holistic approach, addressing risk across all levels and developing, implementing and maintaining controls testing and programmed detection and response mechanisms.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.